Allow larger packets during GSSAPI authentication exchange. Our GSSAPI code only allows packet sizes up to 16kB. However it emerges that during authentication, larger packets might be needed; various authorities suggest 48kB or 64kB as the maximum packet size. This limitation caused login failure for AD users who belong to many AD groups. To add insult to injury, we gave an unintelligible error message, typically "GSSAPI context establishment error: The routine must be called again to complete its function: Unknown error".
As noted in code comments, the 16kB packet limit is effectively a protocol constant once we are doing normal data transmission: the GSSAPI code splits the data stream at those points, and if we change the limit then we will have cross-version compatibility problems due to the receiver's buffer being too small in some combinations. However, during the authentication exchange the packet sizes are not determined by us, but by the underlying GSSAPI library. So we might as well just try to send what the library tells us to. An unpatched recipient will fail on a packet larger than 16kB, but that's not worse than the sender failing without even trying. So this doesn't introduce any meaningful compatibility problem. We still need a buffer size limit, but we can easily make it be 64kB rather than 16kB until transport negotiation is complete. (Larger values were discussed, but don't seem likely to add anything.) Reported-by: Chris Gooch <cgo...@bamfunds.com> Fix-suggested-by: Jacob Champion <jacob.champ...@enterprisedb.com> Author: Tom Lane <t...@sss.pgh.pa.us> Reviewed-by: Jacob Champion <jacob.champ...@enterprisedb.com> Discussion: https://postgr.es/m/ds0pr22mb5971a9c8a3f44bcc6293c4dabe...@ds0pr22mb5971.namprd22.prod.outlook.com Backpatch-through: 13 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/8b0aa7a6b723174cfa6f1a5e2a03217dba9f6e6e Modified Files -------------- src/backend/libpq/be-secure-gssapi.c | 61 ++++++++++++++++++++--------- src/interfaces/libpq/fe-secure-gssapi.c | 68 ++++++++++++++++++++++++--------- 2 files changed, 94 insertions(+), 35 deletions(-)
